HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information - § 164.502(d)
As Contained in the HHS HIPAA Privacy Rules
|
HHS Regulations |
(d) Standard: Uses and disclosures of de-identified protected health information—(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.
(2) Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that:
(i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and
(ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.
| HHS Description General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information |
In proposed § 164.506(d) of the NPRM, we proposed to permit use of protected health information for the purpose of creating de-identified information and we provided detailed mechanisms for doing so.
In § 164.502(d) of the final rule, we permit a covered entity to use protected health information to create de-identified information, whether or not the de-identified information is to be used by the covered entity. We clarify that de-identified information created in accordance with our procedures (which have been moved to § 164.514(a)) is not subject to the requirements of these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify such information is also defined to be disclosure of protected health information. See the preamble to § 164.514(a) for further discussion.
| HHS Response to Comments Received General Rules for Uses and Disclosures of Protected Health Information -- Creation of De-identified Information |
Comments on the requirements for de-identifying information are addressed in the preamble to § 164.514(a)-(c).